Elective controls
Elective controls enable you to lock down or track attempts at performing commonly restricted actions in an AWS enterprise environment. These controls are not enabled by default, and can be disabled. Following, you'll find a reference for the elective controls available in AWS Control Tower. The elective controls specifically for data residency are collected into a separate section, Controls that enhance data residency protection.
Topics
- Disallow Changes to Encryption Configuration for Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive]
- Disallow Changes to Logging Configuration for Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive]
- Disallow Changes to Bucket Policy for Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive]
- Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]
- Disallow Changes to Replication Configuration for Amazon S3 Buckets
- Disallow Delete Actions on Amazon S3 Buckets Without MFA
- Detect Whether MFA is Enabled for AWS IAM Users
- Detect Whether MFA is Enabled for AWS IAM Users of the AWS Console
- Detect Whether Versioning for Amazon S3 Buckets is Enabled
- Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry
Disallow Changes to Encryption Configuration for Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive]
This control disallows changes to encryption for all Amazon S3 buckets. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following service control policy (SCP).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETENCRYPTIONENABLED", "Effect": "Deny", "Action": [ "s3:PutEncryptionConfiguration" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Logging Configuration for Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive]
This control disallows changes to logging configuration for all Amazon S3 buckets. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETLOGGINGENABLED", "Effect": "Deny", "Action": [ "s3:PutBucketLogging" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Bucket Policy for Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive]
This control disallows changes to bucket policy for all Amazon S3 buckets. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETPOLICYCHANGESPROHIBITED", "Effect": "Deny", "Action": [ "s3:PutBucketPolicy" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]
This control disallows lifecycle configuration changes for all Amazon S3 buckets. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETRETENTIONPOLICY", "Effect": "Deny", "Action": [ "s3:PutLifecycleConfiguration" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Replication Configuration for Amazon S3 Buckets
Prevents changes to the way your Amazon S3 buckets have been set up to handle replication within Regions or across Regions. For example, if you set up your buckets with single-region replication, to restrict the location of your Amazon S3 data to a single AWS Region (thereby disabling any automatic, asynchronous copying of objects across buckets to other AWS Regions), then this control prevents that replication setting from being changed. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRRESTRICTS3CROSSREGIONREPLICATION", "Effect": "Deny", "Action": [ "s3:PutReplicationConfiguration" ], "Resource": [ "*" ] } ] }
Disallow Delete Actions on Amazon S3 Buckets Without MFA
Protects your Amazon S3 buckets by requiring MFA for delete actions. MFA requires an extra authentication code after the user name and password are successful. This is a preventive control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRRESTRICTS3DELETEWITHOUTMFA", "Effect": "Deny", "Action": [ "s3:DeleteObject", "s3:DeleteBucket" ], "Resource": [ "*" ], "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": [ "false" ] } } } ] }
Detect Whether MFA is Enabled for AWS IAM Users
This control detects whether MFA is enabled for AWS IAM users. You can protect your account by requiring MFA for all AWS users in the account. MFA requires an additional authentication code after the user name and password are successful. This control does not change the status of the account. This is a detective control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following AWS Config rule.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether the IAM users have MFA enabled Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 1hour Description: The frequency that you want AWS Config to run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: CheckForIAMUserMFA: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether the AWS Identity and Access Management users have multi-factor authentication (MFA) enabled. The rule is COMPLIANT if MFA is enabled. Source: Owner: AWS SourceIdentifier: IAM_USER_MFA_ENABLED MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency
Detect Whether MFA is Enabled for AWS IAM Users of the AWS Console
Protects your account by requiring MFA for all AWS IAM users in the console. MFA reduces vulnerability risks from weak authentication by requiring an additional authentication code after the user name and password are successful. This control detects whether MFA is enabled. This control does not change the status of the account. This is a detective control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following AWS Config rule.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether MFA is enabled for all AWS IAM users that use a console password. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 1hour Description: The frequency that you want AWS Config to run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: CheckForIAMUserConsoleMFA: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether AWS Multi-Factor Authentication (MFA) is enabled for all AWS Identity and Access Management (IAM) users that use a console password. The rule is COMPLIANT if MFA is enabled. Source: Owner: AWS SourceIdentifier: MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency
Detect Whether Versioning for Amazon S3 Buckets is Enabled
Detects whether your Amazon S3 buckets are enabled for versioning. Versioning allows you to recover objects from accidental deletion or overwrite. This control does not change the status of the account. This is a detective control with elective guidance. By default, this control is not enabled.
The artifact for this control is the following AWS Config rule.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether versioning is enabled for your S3 buckets. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForS3VersioningEnabled: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether versioning is enabled for your S3 buckets. Source: Owner: AWS SourceIdentifier: S3_BUCKET_VERSIONING_ENABLED Scope: ComplianceResourceTypes: - AWS::S3::Bucket
Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry
This elective control disallows management of the following extension types in the AWS CloudFormation registry: resource types, modules, and hooks. For more information about AWS CloudFormation extensions, see Using the AWS CloudFormationregistry.
Note
You must enable this control when you activate proactive controls in your environment.
Control objective: Protect configurations
Implementation Service control policy (SCP)
Control behavior: Preventive
Control guidance: Elective
Control owner: AWS Control Tower
Control ID: CT.CLOUDFORMATION.PR.1
Severity: Critical
AWS Service: AWS CloudFormation
Resource types:
AWS::CloudFormation::HookDefaultVersion, AWS::CloudFormation::HookTypeConfig, AWS::CloudFormation::HookVersion, AWS::CloudFormation::ModuleDefaultVersion, AWS::CloudFormation::ModuleVersion, AWS::CloudFormation::ResourceDefaultVersion, AWS::CloudFormation::ResourceVersion
The following example shows the SCP artifact for this control.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRDISALLOWMODIFICATIONCFNREGISTRY", "Effect": "Deny", "Action": [ "cloudformation:RegisterType", "cloudformation:DeregisterType", "cloudformation:SetTypeConfiguration", "cloudformation:SetTypeDefaultVersion", "cloudformation:PublishType" ], "Resource": [ "*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
